IntSights' Blog

Major Carding Site Replacement: How Altenen.nz Rose from the Ashes of Altenen.com

At the end of May 2018 (only a few months ago), there was a major site takedown that shook the dark web world. This site was Atlenen.com, a major carding site where hackers bought and sold fraud tactics. The site was taken down after Israeli authorities arrested the site’s manager, a Palestinian from Hebron. In the aftermath, a number of new carding sites have come and gone, but one has emerged as the potential replacement, with its daily user count quickly rising.

Here’s our recap of the site takedown, and where threat hunters should shift their focus for finding new threats and fraud tactics.

Altenen Background & History

Altenen was first launched in 2008. The site manager, who was in his early twenties when the site was launched, ran it for nearly a decade until it was taken down a few months ago.

Altenen was known in the hacking community as one of the biggest carding sites, along with bitshacking.com, club2crd.cc, and ccc.mn, which aren’t far behind in terms of their reputation. Israeli authorities have estimated that Altenen led to fraud for over 20 thousand cards, resulting in $31 million in money laundering.

A carding site is usually a site where hackers sell fraud methods or fraud services with credit cards. They can either sell stolen cards that were probably leaked in a data breach, or provide methods to generate card numbers, then check their validity and balance.

In the dark web world, it is difficult to develop a good reputation, especially when it comes to illegal services. For scamming services, hackers are very unlikely to trust a site because scams are often hidden in the services that are being sold. For this reason, there aren’t many sites that have significant rules, and when one of the dominant players falls, everyone looks to see who will inherit the throne.

Finding an Alternative

As fraud continues to rise, it’s only a matter of time before a replacement comes along. Since Altenen was shut down, we’ve been monitoring which site will emerge as the new favorite site.

We didn't find many hackers talking about a new carding service replacing Altenen; but rather, other sites with the same name and the same design. It seemed that the management team was trying to leverage its established name and credibility, and not open it as a new brand.

In parallel, many scammers took advantage of this situation and opened their own sites using Altenen's brand, which over time appeared to be fake. The promotion for a new Altenen site was everywhere, either on YouTube videos, comments on other hacking forums, and even posts on paste sites. Many of the fake sites didn’t last long and were shut down shortly after they were discovered.

For a while, it felt a bit like musical chairs, where many new sites with the same name and purpose surfaced, and we were just waiting for the music to stop to see which will be the last one standing. However, there was one site that has appeared to emerge as the new favorite and replacement, called Altenen.nz.

Altenen.nz: The New Carding Site Heir

Altenen.nz appears to be the new heir to Altenen.com. It has the same design and seems to be running the same services as the old one. The forums appear to be active and carry information that is updated with the latest news. However, it does not appear to contain the same content of the old site. This means that they didn’t clone their old site; but rather, started everything from scratch. This raises the question of whether it’s the same management team or not.

Altenen.nz has a count on their homepage with the number of daily users visiting the site, which currently amounts to over 2000 daily users, 600 of which are members. These statistics were also verified on trusted web statistic sites, which also show an increase of about 1000 unique daily users. Therefore, it appears that this site could slowly be starting to regain its reputation.

On the other hand, the original site’s previous traffic amounted to around 20,000 daily visitors. We assume this decrease is not only because of the takedown, but also because many hackers aren’t satisfied with the current site’s functionality, especially with the decrease of information published on it. Therefore, it appears Altenen has not caught up to where it once was. It will be interesting to continue monitoring the site to see if it will regain its previous success and outlast some of its competitors.

Image 1: Altenen.nz home page and current user count

Image 2: Traffic breakdown for Altenen.nz

Conclusion

Illegal sites like Altenen can be very fragile, tending to come and go frequently and without warning. Whenever a major site gets taken down, new alternatives will likely rise in the aftermath. If you’re a threat hunter, it’s important to stay on top on top of which sites are taken down and which new ones surface so you can continue to hunt threats and threat actors where they are spending their time.

Orin Mor is a Security Researcher at IntSights, focused on hunting for new threats and threat actors on the Dark Web, and working to identify new attack strategies and vectors. Prior to IntSights, she served for 5 years as a Security Researcher in an elite intelligence unit in the Israeli Defense Forces, specializing in cyber operations, data mining and threat research.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.